{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25458", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-03-25T16:14:50.862Z", "dateUpdated": "2026-03-25T16:14:50.862Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "moments", "product": "Moments", "vendor": "Select-Themes", "versions": [{"lessThanOrEqual": "<= 2.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:29.746Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.<p>This issue affects Moments: from n/a through <= 2.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through <= 2.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:50.862Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/moments/vulnerability/wordpress-moments-theme-2-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Moments theme <= 2.2 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through <= 2.2."}], "id": "CVE-2026-25458", "lastModified": "2026-03-25T17:16:52.010", "metrics": {}, "published": "2026-03-25T17:16:52.010", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/moments/vulnerability/wordpress-moments-theme-2-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:28:59.984637+00:00", "value": {"mitigation_remediation": ["Upgrade the Moments theme to any version newer than 2.2.", "If an upgrade is not immediately possible, disable the Moments theme until a patch is applied.", "If feasible, restrict the file inclusion paths in the theme\u2019s source code or apply web\u2011server level restrictions, such as denying access to root\u2011level directories and disabling directory listings."], "summary": {"action": "Patch promptly", "impact": "Local file inclusion that can expose sensitive files or enable code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Moments theme from the vendor Select\u2011Themes and are running version 2.2 or earlier remain vulnerable. Any installation that has not upgraded beyond these versions is at risk.", "description_and_impact": "The Moments theme for WordPress includes a PHP include/require statement that does not properly validate the file name supplied. This weakness allows an attacker to influence the path of a local file that the theme attempts to load. The result is that an attacker can read arbitrary files on the server, and, if the selected file contains PHP code, it could be executed server\u2011side, leading to potential confidentiality and integrity violations.", "risk_and_exploitability": "The CVE is classified as a local file inclusion (CWE\u201198). No EPSS score is provided and the vulnerability is not listed in CISA's KEV catalog, so the likelihood of exploitation remains uncertain. Based on the description, it is inferred that the attack can be launched via a standard web request that supplies a crafted parameter to the Theme, without needing privileged credentials. If successful, an attacker could read privileged files or, by including a malicious PHP file, run arbitrary code with the web server\u2019s privileges."}}}}, "created": "2026-03-25T21:44:21.213981+00:00", "updated": "2026-03-25T21:44:21.214038+00:00", "vendors": []}